Dear all,
I'm stuck with a qmail installation that doesn't support TLS, so I'm trying to get Spamdyke to deal with it on incoming connections. Unfortunately I've not managed to get it to work - I get the following error in the maillog when testing: ****** unable to start SSL/TLS connection: A protocol or library failure occurred, error:1408A0BB:lib(20):func(138):reason(187) ****** My spamdyke.conf contains the following: tls-certificate-file=/ssl/servercert.pem tls-level=smtp-no-passthrough #tls-cipher-list=ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:DES-CBC3-SHA tls-dhparams-file=/ssl/dhparams.pem I've tried with and without the tls-cipher-list line commented out (which I'm not sure is in any way correct anyway - I was just trying to disable SSLv2 and SSLv3) and similarly with and without the dhparams line commented out. I'm using the following to test: openssl s_client -connect localhost:25 --starttls smtp which just gives me: ************* CONNECTED(00000003) 140244663195464:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:744: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 188 bytes and written 282 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ************** (I've also tried specifying a protocol such as -tls1_2 but that doesn't make any difference) Spamdyke itself has TLS compiled: spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG I did a fresh compile just to be sure. openssl and openssl-devel are installed (latest versions). The .pem appears to be valid, in as far as it is copied from a qmail-with-tls server where it does work, and openssl verify says: /ssl/servercert.pem: OU = Domain Control Validated, CN = *.REDACTED.TLD error 20 at 0 depth lookup:unable to get local issuer certificate I did initially have a permissions error on the .pem but that was giving me "I/O error - unexpected EOF" type errors for the certificate in the logs, but changing the perms resolved that one, thanks to a post by someone else on the list a while ago. Does anyone have any suggestions? Am I missing something obvious, as usual :) ? Any pointers or suggestions would be very much appreciated.
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
